b'Highlights\nTable of Contents\n\n\n\n\n                    National\n                    Change of\n                    Address\n                    Program\nFindings\nRecommendations\n\n\n\n\n                    Audit Report\n                    Report Number\n                    IT-AR-14-010\n\n                    September 24, 2014\nAppendices\n\n\n\n\n                                         Print\n\x0cHighlights\nTable of Contents\n\n\n\n\n                    Highlights                           Background                                                        of Address Linkage (NCOALink) to licensees who facilitate\n                                                                                                                           relationships with business mailers. NCOALink is an application\n                                                         More than 40 million Americans change their addresses\n                                                                                                                           containing about 160 million COA records. The Postal Service\n                                                         annually and submit change of address (COA) orders to the\n                                                                                                                           requires licensees and their customers\xc2\xa0to complete a\n                                                         U.S. Postal Service. Customers can submit orders electronically\n                                                                                                                           Processing\xc2\xa0Acknowledgment Form (acknowledgement form)\n                                                         through the Internet or submit hard copy orders through the\n                                                                                                                           to comply with the Privacy Act of 1974 and document the\nFindings\n\n\n\n\n                                                         mail or at a Post Office retail counter. The Postal Service\n                                                                                                                           companies\xe2\x80\x99 intended use of the data.\n                      Security controls over change      provides COA information for a fee through National Change\n\n                          of address and NCOALink                                                                          Our objectives were to determine whether security controls\n                                                                                                                           over the COA manual process and NCOALink data adequately\n                                data do not protect                                                                        protect the confidentiality and integrity of customer data and\n                                                                                                                           identify potential solutions for improving the Postal Service\xe2\x80\x99s\n                             customer information.                                                                         acknowledgement form process.\nRecommendations\n\n\n\n\n                                                                                  More than 40                             What The OIG Found\n                                                                                  Million Americans\n                                                                                  Submit Change of                         Security controls over the COA manual processes and\n                                                                                   Address orders.                         NCOALink data are not sufficient to protect the confidentiality\n                                                                                                                           and integrity of customer information. We visited one of the\n                                                                                                                           22 Computerized Forwarding System sites and found personnel\n                                                                                                                           did not adhere to controls related to processing and retaining\n                                                                                                                           hard copy COA orders.\n\n                                                                                                                           We also determined the Postal Service is using outdated\nAppendices\n\n\n\n\n                                                                                                                           software to      data. In addition, NCOALink license\n                                                                                                                           agreements did not always have sufficient contract provisions to\n                                                                                                                           protect customer data, and management did not always monitor\n                                                                        Either electronically or hard copy                 these agreements for licensee compliance.\n\n                    National Change of Address Program\n                    Report Number IT-AR-14-010\n                                                                                                                                                  Print                                      1\n\x0cHighlights\nTable of Contents\n\n\n\n\n                                                         As a result, there is a risk that unauthorized users could access   System, and store hard copy COA orders in accordance with\n                                                         COA data and NCOALink data could be breached, which could           policy. We also recommended management\n                                                         lead to fines and a negative impact on the Postal Service brand.    re-initiate the National Change of Address certification and\n                                                         We estimated 13,554,542 NCOALink customer records with a            accreditation process, upgrade outdated security software,\n                                                         potential value of $228 million are at risk.                        identify all cooperative database mailers and their activities,\n                                                                                                                             and implement a process to ensure current Postal Service\nFindings\n\n\n\n\n                                                         In addition, management does not have an enterprise solution        requirements are in all license agreements to protect\n                                                         in place or plan to automate the acknowledgement\n                                                                                                                             customer information.\n                                                         form process.\n                                                                                                                             Finally, we recommended management implement a plan of\n                                                         What The OIG Recommended                                            action for conducting random site security reviews of licensees\n                                                         We recommended management centralize user account                   and evaluate potential solutions and benefits of automating the\n                                                         management in eAccess for the COA Forms Processing\nRecommendations\n\n\n\n\n                                                                                                                             acknowledgement form process.\nAppendices\n\n\n\n\n                    National Change of Address Program\n                    Report Number IT-AR-14-010\n                                                                                                                                                     Print                                     2\n\x0cHighlights\n                    Transmittal Letter\n\n\n                                                         September 24, 2014\nTable of Contents\n\n\n\n\n                                                         MEMORANDUM FOR:\t      ROBERT CINTRON\n                                                                               VICE PRESIDENT, PRODUCT INFORMATION\n\n                                                                               JOHN T. EDGAR\n                                                                               VICE PRESIDENT, INFORMATION TECHNOLOGY\n\n                                                                               EDWARD F. PHELAN, JR.\n                                                                               VICE PRESIDENT, DELIVERY AND POST OFFICE\n                                                                               OPERATIONS\n\n                                                                               MICHAEL J. AMATO\n                                                                               VICE PRESIDENT, ENGINEERING SYSTEMS\nFindings\n\n\n\n\n                                                                               MICHAEL J. ELSTON\n                                                                               ASSOCIATE GENERAL COUNSEL AND CHIEF ETHICS/\n                                                                               COMPLIANCE OFFICER, CHIEF ETHICS/COMPLIANCE\n                                                                               OFFICE\n\n                                                                               CHARLES L. MCGANN, JR.\n                                                                               MANAGER, CORPORATE INFORMATION SECURITY\n                                                                               OFFICE\nRecommendations\n\n\n\n\n                                                             DAVID G. BOWERS\n                                                             POSTAL INSPECTOR IN CHARGE, SECURITY AND CRIME\n                                                             PREVENTION\n                                                         \t\t\t\t\n                                                                                   E-Signed by Kimberly Benoit\n                                                                              VERIFY authenticity with eSign Desktop\n\n\n\n\n                                                         FROM: \t\t\t             Kimberly F. Benoit\n                                                                               Deputy Assistant Inspector General\n                                                                                for Information Technology and Data Analysis\nAppendices\n\n\n\n\n                    National Change of Address Program\n                    Report Number IT-AR-14-010\n                                                                                                                       Print   3\n\x0cHighlights\n\n\n\n\n                                                         SUBJECT: \t\t\t              Audit Report \xe2\x80\x93 National Change of Address Program\n                                                                                   (Report Number IT-AR-14-010)\n\n                                                         This report presents the results of our audit of the National Change of Address Program\nTable of Contents\n\n\n\n\n                                                         (Project Number 14BG006IT000).\n\n                                                         We appreciate the cooperation and courtesies provided by your staff. If you have any\n                                                         questions or need additional information, please contact Aron Alexander, director,\n                                                         Information Technology, or me at 703-248-2100.\n\n                                                         Attachment\n\n                                                         cc:\t Corporate Audit and Response Management\nFindings\nRecommendations\nAppendices\n\n\n\n\n                    National Change of Address Program\n                    Report Number IT-AR-14-010\n                                                                                                                              Print                4\n\x0cHighlights\n                    Table of Contents                    Cover\n                                                         Highlights.......................................................................................................1\n                                                          Background.................................................................................................1\n                                                          What The OIG Recommended...................................................................2\n                                                         Transmittal Letter...........................................................................................3\n                                                         Findings.........................................................................................................6\n                                                          Introduction.................................................................................................6\nTable of Contents\n\n\n\n\n                                                          Conclusion..................................................................................................8\n                                                          Access Controls at the Computer Forwarding Site.....................................8\n                                                          Controls Over National Change of Address Linkage Customer Data.........9\n                                                            National Change of Address Linkage Data Protection ............................9\n                                                            National Change of Address Linkage License Provisions........................9\n                                                            National Chage of Address Linkage License Monitoring........................10\n                                                         Recommendations......................................................................................12\n                                                          Management\xe2\x80\x99s Comments........................................................................13\n                                                          Evaluation of Management\xe2\x80\x99s Comments..................................................14\nFindings\n\n\n\n\n                                                         Appendices..................................................................................................15\n                                                          Appendix A: Additional Information...........................................................16\n                                                            Background ...........................................................................................16\n                                                            Objectives, Scope, and Methodology.....................................................16\n                                                            Prior Audit Coverage..............................................................................17\n                                                          Appendix B: Management\xe2\x80\x99s Comments....................................................18\nRecommendations\n\n\n\n\n                                                         Contact Information.....................................................................................30\nAppendices\n\n\n\n\n                    National Change of Address Program\n                    Report Number IT-AR-14-010\n                                                                                                                                                   Print                      5\n\x0cHighlights\n                    Findings                             Introduction\n                                                         This report presents the results of our self-initiated audit of the National Change of Address (NCOA) Program (Project Number\n                                                         14BG006IT000). Our objectives were to determine whether security controls over the change of address (COA) manual process\n                                                         and National Change of Address Linkage (NCOALink) data adequately protect the confidentiality and integrity of customer data\n                                                         and identify potential solutions for improving the U.S. Postal Service\xe2\x80\x99s Processing Acknowledgement Form (acknowledgement\n                                                         form) 1 process. See Appendix A for additional information about this audit.\n\n                                                         When mail is misaddressed,2 the Postal Service and business mailers incur added costs for sorting, transporting, delivering, and\nTable of Contents\n\n\n\n\n                                                         disposing of it. As a result, the Postal Service implemented address correction services in 1924 and the NCOA Program in 1986.\n                                                         The NCOA Program includes COA services that provide customers the option of forwarding mail to their new address by\n                                                         submitting COA orders electronically through the Postal Service\xe2\x80\x99s website or submitting hard copy orders3 through the mail or at a\n                                                         Postal Service retail counter.\nFindings\n\n\n\n\n                                                                    The Postal Service scans                                and 22 Computerized                                              across the country\n                                                                    hard copy COA orders at                                Forwarding System sites\nRecommendations\n\n\n\n\n                                                                     64 Postal Automated\n                                                                    Redirection System sites\nAppendices\n\n\n\n\n                                                         1\t   A written request to use COA information for mailing purposes in accordance with the license agreement and the Privacy Act of 1974 (Section 552a).\n                                                         2\t   Undeliverable as Addressed (UAA) mail the Postal Service cannot deliver as addressed and must forward to a different address for the addressee, return to the sender,\n                                                              or, in some cases, destroy.\n                                                         3\t   Hard copy COA orders consist of the official Change of Address Order (Form 3575) obtained at a retail office and U. S. Postal Service Change of Address Order\n                                                              (Form 3575-WWW) from the official USPS\xc2\xae COA website.\n                    National Change of Address Program\n                    Report Number IT-AR-14-010\n                                                                                                                                                                                Print                                                 6\n\x0cHighlights                                               The Postal Service scans hard copy COA orders at 64 Postal Automated Redirection Systems (PARS)4 and 22 Computerized\n                                                         Forwarding System (CFS)5 sites across the country. Additional processing of scanned COA images may occur at the Remote\n                                                         Encoding Center (REC)6 in Salt Lake City, UT. Hard copy COA orders totaled 25 million (or 65 percent) of the 39 million COA\n                                                         orders processed in fiscal year 2013. To confirm the validity of COA orders, the Postal Service sends confirmation and validation\n                                                         letters to the customer\xe2\x80\x99s old and new address and places a 5-day hold on mail interception to allow for delivery of the\n                                                         confirmation letter.\nTable of Contents\n\n\n\n\n                                                                                                                                                  25 million, or\n                                                                                                                                                  65 percent, of\n                                                                                                                                                  the 39 million\n                                                                                                                                 35%              change of address\n                                                                                                                                 14 million       orders processed\n                                                                                                                                                  from FY 2013 were\n                                                                                                                                                 hard copy.\n\n\n\n                                                                                                                                                     65%\nFindings\n\n\n\n\n                                                         The Address Management group in Memphis, TN, stores COA data in the NCOA database.7 Address Management provides\n                                                         COA data to licensees through the NCOALink application8 to minimize misaddressed mail and related costs incurred by the\n                                                         Postal Service and business mailers. Licensees acquire a license to obtain COA data from the Postal Service.9 The licensees\nRecommendations\n\n\n\n\n                                                         then provide NCOALink data to their customers, which include business mailers and other entities.10 Prior to obtaining NCOALink\n                                                         data and services, the licensees and their customers must complete an acknowledgement form to comply with Privacy Act\n                                                         requirements. Licensees are also required to collect annual updates of acknowledgement forms from their customers and provide\n                                                         the Postal Service with monthly performance reports.\n\n\n\n                                                         4\t  An automated system that identifies and redirects UAA mail in a live mail processing environment at 258 select processing and distribution centers, 64 of which process\n                                                             COA Forms 3575.\n                                                         5\t The 22 CFS sites are responsible for entering the customer\xe2\x80\x99s \xe2\x80\x9cold\xe2\x80\x9d and \xe2\x80\x9cnew\xe2\x80\x9d address information into the CFS database to facilitate address correction notifications and\n                                                             further handling of mailpieces.\n                                                         6\t A postal facility that processes COA unreadable image data to correct delivery address information.\n                                                         7\t The NCOA application is a database of COA records that stores COA information for postal patrons and consists of 20 modules, including NCOALink.\nAppendices\n\n\n\n\n                                                         8\t NCOALink is a premailing, address correction method consisting of a secure dataset of permanent COA records of about 160 million residential and business customers\n                                                             who have filed COA requests.\n                                                         9\t During our audit, the Postal Service had 515 NCOALink license agreements and 16 additional NCOALink licenses were pending.\n                                                         10\t These entities include broker-agents, who act as middle men between the business mailer and licensee; list administrators, who house, update, and manage the mailing\n                                                             list for the business mailer; list custodians, who are responsible for the address mailing list for a particular company; list brokers, who are third-party companies that\n                                                             compile and sell customer names and addresses; and cooperative database participants that consist of many companies that contribute information to a database in\n                                                             return for aggregate information on customers of other participants.\n                    National Change of Address Program\n                    Report Number IT-AR-14-010\n                                                                                                                                                                                  Print                                                   7\n\x0cHighlights                                               Conclusion\n                                                         Security controls related to the COA manual submission11 process and NCOALink data transmissions and license agreements\n                                                         need to improve. Of the 22 CFS sites, we visited one and found personnel did not adhere to controls related to processing\n                                                         and retaining hard copy COA orders. We also determined the Postal Service is using an outdated                   within the\n                                                         application. Further, NCOALink license agreements did not always have sufficient contract provisions to protect customer data\n                                                                     12\n\n\n                                                         and management did not always monitor existing agreements for licensee compliance.\n                    Controls over change of address\n                                                         There is a risk that COA data could be accessed by unauthorized users, which could lead to fines and a negative impact on the\nTable of Contents\n\n\n\n\n                       orders were not implemented.      Postal Service brand. We estimated that 13,554,542 NCOALink customer records with a potential value of $228 million are at risk.\n\n                                                         Access Controls at the Computer Forwarding Site\n                                                         Management did not implement existing controls over COA orders at the Jackson, TN, CFS site. Specifically, COA orders were not\n                                                         stored in a secured area, as required by policy.13 During our visit to the facility, we found numerous hard copy COA orders, some\n                                                         dating back to July 2013, stored in an unsecured open area accessible to all Jackson CFS site employees. See Figure 1 for a\n                                                         photograph of the area where employees stored the orders.\n\n                                                         Figure 1. Storage of COA Orders\nFindings\nRecommendations\n\n\n\n\n                                                         Source: U.S. Postal Service Office of Inspector General (OIG) photograph taken April 10, 2014.\n\n\n\n                                                         This site opened in June 2013 and the new supervisor was not aware of the CFS storage process. Improper storage of sensitive\n                                                         COA orders increases the risk an unauthorized individual will access a customer\xe2\x80\x99s COA information.\nAppendices\n\n\n\n\n                                                         11\t Hard copy COA submissions consist of Form 3575 obtained at a retail office and Form 3575-WWW printed from the Internet COA website.\n                                                         12\t\n                                                                                             Per the National Institutes of Standards and Technology, the outdated\n                                                         13\t Handbook AS-805, Information Security, Section 3-5.3, Retention and Storage of Information; and Section 7-3.4 Sensitive-Enhanced, Sensitive, and Critical Media,\n                                                             May 2014.\n                    National Change of Address Program\n                    Report Number IT-AR-14-010\n                                                                                                                                                                              Print                                             8\n\x0cHighlights                                               In addition, all four CFS operators at the Jackson CFS site were using the same user account and password to log into the COA\n                                                         Forms Processing System (CFPS).14 This occurred because the CFS operator responsible for providing user access was not\n                                                         aware of password policies.15 In addition, the CFPS system is not a part of the eAccess system16 and, as a result, management\n                                                         cannot establish accountability for individuals responsible for errors in data entry or misuse of the system.\n\n                                                         Controls Over National Change of Address Linkage Customer Data\n                     The Postal Service can enhance      The Postal Service could enhance controls over NCOALink data related to data transmission, license provisions, and license\n                                                         monitoring to secure COA information. We estimated 13,554,542 NCOALink customer records with a potential value of\nTable of Contents\n\n\n\n\n                       controls over NCOALink data       $228 million are at risk of unauthorized access.\n                      and licenses. We estimate 13.5\n                                                         National Change of Address Linkage Data Protection\n                    million customer records valued      The NCOA Program office uses an outdated                       coupled with an in-house, patented          18\n                                                                                                                                                                       to     9\n                                                                                                                                                                                NCOALink\n                                                         data provided to its licensees. The outdated                 does not comply with security policy because management was\n                                                                                                                                                           20\n                          at $228 million are at risk.\n                                                         unaware of the policy. In addition, the outdated                was not reviewed in the latest risk assessment process21 to\n                                                         determine vulnerabilities associated with the NCOA application. Management stated that changing the current                 to\n                                                         conform to the policy would require a major upgrade to Postal Service systems and those of its licensees. Because the\n                                                         Postal Service uses this outdated         a person could crack the          to access or change sensitive NCOALink\n                                                         customer data.\n\n                                                                 the National Institute of Standards and Technology required applications in federal agencies to move to an updated\nFindings\n\n\n\n\n                                                                                   . In addition, Microsoft announced that Windows will stop supporting the current             by\n                                                                       ; therefore, if the Postal Service does not begin to convert the NCOALink application to a more secure\n                                                         standard, it might not be able to transmit data to its licensees as their systems are upgraded.\n\n                                                         National Change of Address Linkage License Provisions\n                                                         NCOALink license agreements did not always contain sufficient contract provisions that require licensees and business mailers to\n                                                         secure customer data. We sampled 36 of 515 NCOALink license agreements and determined they all contained at least one of the\nRecommendations\n\n\n\n\n                                                         following issues:\n\n\n\n\n                                                         14\t The CFPS automates the COA form process by scanning the cards and transmitting the information to the NCOA database.\n                                                         15\t Handbook AS-805, Section 9-4, Accountability, March 2014.\n                                                         16\t eAccess is an enterprise application used to manage authorization of access to information resources by centralizing the management of personnel identities and access\n                                                             rights over the entire lifecycle, from user account creation and registration to termination.\n                                                         17\t\n                                                         18\t James D. Wilson, et al., Method and System for Efficiently Retrieving Secured Data by Securely Pre-processing Provided Access Information; U.S. Patent No. 7,549,053,\n                                                             June 16, 2009.\nAppendices\n\n\n\n\n                                                         19\t The process of hiding original data with random characters. The main reason for applying              to data is to protect personal identifiable or sensitive data.\n                                                                         are not encryption methods, but offer addtional system security\xc2\xa0using a                                              .\n                                                         20\t According to Handbook AS-805, Section 9-7.4, the Postal Service\xe2\x80\x99s                                                            In addition, Handbook AS-805-A, Information\n                                                             Resource Certification and Accreditation Process, Section 4-3.4.6, Assess Risk; and Section 4-3.4.7, Conduct Risk Assessment, October 2009, require an ongoing risk\n                                                             assessment for all information resources to\xc2\xa0identify security concerns such as threats, vulnerabilities, and control weaknesses.\n                                                         21\t The risk assessment is part of the certification and accreditation process.\n                                                         22\t\n                    National Change of Address Program\n                    Report Number IT-AR-14-010\n                                                                                                                                                                               Print                                               9\n\x0cHighlights                                               \xe2\x96\xa0\xe2\x96\xa0 Thirty-four license agreements did not have adequate \xe2\x80\x9cSecurity Documentation\xe2\x80\x9d23 to assure third-party adherence to privacy\n                                                            and security requirements.\n\n                                                         \xe2\x96\xa0\xe2\x96\xa0 Three of the licensees in our sample are commingling Postal Service NCOALink data servers in third-party data centers shared\n                                                            with other companies, which violates policy.24\n\n                                                         \xe2\x96\xa0\xe2\x96\xa0 Licensees are not identifying all cooperative database business mailers25 who receive NCOALink data as stipulated in their\n                                                            monthly performance report requirements.\nTable of Contents\n\n\n\n\n                                                         These security issues occurred because there is no assigned contracting authority or process to ensure management incorporates\n                                                         the appropriate security, privacy, and acknowledgement form requirements into NCOALink license agreements. In addition,\n                                                         management does not require complete cooperative database mailers\xe2\x80\x99 information on the licensees\xe2\x80\x99 monthly performance reports.\n                                                         Further, cooperative database mailers for a licensee share one set of credentials26 and, as a result, sensitive NCOALink customer\n                                                         data is at risk of unauthorized access in and outside the U.S., which could lead to data breaches, fines, and a negative impact on\n                                                         the Postal Service brand.\n\n                                                         National Change of Address Linkage License Monitoring\n                                                         Management is not monitoring licensee compliance with NCOALink license agreements. For example:\n\n                                                         \xe2\x96\xa0\xe2\x96\xa0 Licensees are transmitting sensitive customer data in                                     to business mailers using File Transfer Protocol (FTP),27 which\nFindings\n\n\n\n\n                                                            is insecure and violates policy.28\n\n                                                         \xe2\x96\xa0\xe2\x96\xa0 Management did not adhere to existing policy29 when they decided to no longer require licensees to complete site security\n                                                            review worksheets as part of the licensing and certification process. Moreover, the Postal Inspection Service and the Corporate\n                                                            Information Security Office (CISO) have never performed site security reviews of licensees\xe2\x80\x99 environments, as required by policy\n                                                            and the license agreements.\nRecommendations\n\n\n\n\n                                                         \xe2\x96\xa0\xe2\x96\xa0 Some licensees are using unsupported operating systems30 to store Postal Service COA data; therefore, security updates are\n                                                            no longer available, leaving COA data at risk of data breaches.\n\n                                                         \xe2\x96\xa0\xe2\x96\xa0 International mailers are participating in the NCOALink service program, which is a violation of the NCOALink agreement.31\n                                                            A total of 2,674 international mailers have agreements with 19 NCOALink licensees located in the U.S. Of the 36\xc2\xa0license\n                                                            agreements we reviewed, we also determined nine international mailers stored NCOALink data outside the U.S.\n\n\n\n                                                         23\t As part of the licensing and certification process, the Postal Service requires licensees to provide a self-certifying document to identify their internal, physical, and logical\n                                                             security controls.\n                                                         24\t Handbook AS-805, Section 10.4.8, Isolation of Postal Service Information.\n                                                         25\t Cooperative database mailers consist of many companies that contribute information to a database in return for aggregate information on customers of other participants.\nAppendices\n\n\n\n\n                                                             Some licensees have over 300,000 companies participating in their cooperative database.\n                                                         26\t A licensee can provide multiple cooperative database mailers one acknowledgement form identification (ID) for accessing NCOALink data.\n                                                         27\t A standard Internet protocol for transmitting files in          between computers on the Internet.\n                                                         28\t Handbook AS-805, Section 9-7.1, Encryption.\n                                                         29\t Handbook AS-805, Section 4-1, Security Risk Management Policy.\n                                                         30\t Unsupported operating systems such as Windows NT, Windows 2000, and Windows XP.\n                                                         31\t According to the NCOALink license agreements the service is only available to entities within the U.S.\n                    National Change of Address Program\n                    Report Number IT-AR-14-010\n                                                                                                                                                                                      Print                                                10\n\x0cHighlights                                               \xe2\x96\xa0\xe2\x96\xa0 Management stated they do not always ensure all third parties are updating acknowledgement forms. Specifically, some\n                                                            business mailers and other third-party participants only update their acknowledgement form information when their contact\n                                                            information changes. Also, the Postal Service does not ensure the acknowledgement form renewal process between licensees\n                                                            and business mailers is occurring and does not store updated acknowledgement form information.\n\n                                                         These monitoring issues occurred because there is no assigned contracting authority or an automated acknowledgement form\n                                                         process to monitor and address compliance issues. The current process requires licensees and the Postal Service to maintain\n                                                         hard copies or scanned images of their acknowledgement forms (some licensees could have up to 300,000 acknowledgement\n                                                         forms to maintain); therefore, monitoring acknowledgement form compliance or conducting research on customers obtaining\nTable of Contents\n\n\n\n\n                                                         NCOALink data is labor intensive.\n\n                                                         This puts sensitive NCOALink customer data at risk of unauthorized access, which could lead to fines and a negative impact on\n                                                         the Postal Service brand. Without an automated acknowledgement form solution, the Postal Service is at a greater risk of incurring\n                                                         fines for violating the Privacy Act of 1974.\n\n                                                         Maintaining hard copy or scanned versions of acknowledgment forms is very costly in the digital age. There are various automated\n                                                         solutions to manage hard copy documents enterprise-wide. Specifically enterprise content management systems can be used\n                                                         by organizations to store and manage documents. A solution such as an enterprise content management system would allow the\n                                                         Postal Service to store hard copy forms electronically to provide improved access and monitoring capabilities. Benefits include:\n\n                                                         \xe2\x96\xa0\xe2\x96\xa0 Compliance with the Privacy Act and better oversight of NCOALink contractual activities.\nFindings\n\n\n\n\n                                                         \xe2\x96\xa0\xe2\x96\xa0 Elimination of paper acknowledgement forms and electronic storage accessible by external and internal stakeholders.\n\n                                                         \xe2\x96\xa0\xe2\x96\xa0 Elimination of single acknowledgement form ID for multiple business mailers.\n\n                                                         \xe2\x96\xa0\xe2\x96\xa0 Support for proper governance of NCOALink data by ensuring completion of acknowledgement form process and compliance\nRecommendations\n\n\n\n\n                                                            with policies and regulations.\nAppendices\n\n\n\n\n                    National Change of Address Program\n                    Report Number IT-AR-14-010\n                                                                                                                                                  Print                                 11\n\x0cHighlights\n                    Recommendations                      We recommend the vice president, Engineering, coordinate with the vice president, Information Technology, to:\n\n                                                         1.\t Add the Change of Address Forms Processing System to the eAccess application or use an alternative method for user\n                                                             account management.\n\n                                                         We recommend the vice president, Delivery and Post Office Operations:\n\n                                                         2.\t Communicate user account management policies to all Computerized Forwarding System site employees.\nTable of Contents\n\n\n\n\n                                                         3.\t Direct Computerized Forwarding System site employees to securely store hard copy change of address orders in accordance\n                                                             with policy.\n\n                                                         We recommend the vice president, Product Information, direct the manager, Address Management, to:\n\n                                                         4.\t Re-initiate the certification and accreditation process for the National Change of Address application to identify and document\n                                                             security risks as required.\n\n                                                         5.\t Upgrade the outdated                used in the National Change of Address Linkage application to a more secure and\n                                                             compliant                before support for the current       ends.\nFindings\n\n\n\n\n                                                         6.\t Update license agreements to require that licensees include the names of cooperative database business mailers and their\n                                                             data activities in their monthly performance reports.\n\n                                                         We recommend the vice president, Product Information, direct the manager, Address Management, to coordinate with the\n                                                         associate general counsel and chief ethics/compliance officer, and the manager, Corporate Information Security, to:\n\n                                                         7.\t Implement a process to ensure current legal, security, privacy, and compliance requirements are included in all National\n                                                             Change of Address Linkage license agreements.\nRecommendations\n\n\n\n\n                                                         We recommend the vice president, Product Information, direct the manager, Address Management, to coordinate with the\n                                                         manager, Corporate Information Security, and the postal inspector in charge, Security and Crime Prevention, to:\n\n                                                         8.\t Implement a process and plan of action for establishing and conducting random site security reviews of National Change of\n                                                             Address Linkage licensees to verify adherence to license agreement requirements, as required.\n\n                                                         We recommend the vice president, Product Information, direct the manager, Address Management, to consult with the vice\n                                                         president, Information Technology, to:\n\n                                                         9.\t Evaluate solutions to automate the Processing Acknowledgment Form process.\nAppendices\n\n\n\n\n                    National Change of Address Program\n                    Report Number IT-AR-14-010\n                                                                                                                                                    Print                                  12\n\x0cHighlights                                               Management\xe2\x80\x99s Comments\n                                                         Management agreed with recommendations 4, 5, 8, and 9. Management disagreed with the findings and recommendations 1, 2, 3,\n                                                         6, and 7 and with the other impact.\n\n                                                         Regarding recommendation 1, management disagreed and stated the basis of the recommendation is flawed because the audit\n                                                         team only visited one CFS site. Management stated the CFS operators did not adhere to the password policy and established\n                                                         procedures cited in the training handbook. They also stated a conversion of the CFPS to eAccess would likely lead to the same\n                                                         scenario and additional expenses. Further, management stated properly enforcing the current CFPS password security measures\nTable of Contents\n\n\n\n\n                                                         would correct this issue.\n\n                                                         Regarding recommendation 2, management disagreed and stated the observed shortcomings in one CFS site are not indicative of\n                                                         shortcomings in all CFS sites. However, management stated they will communicate with all CFS sites to remind them of the\n                                                         Postal Service policy regarding user account management.\n\n                                                         Regarding recommendation 3, management disagreed and stated current policy requires CFS sites to destroy COA forms after\n                                                         30 days and does not require secure storage before the 30 day period prior to destruction. Therefore, management stated they will\n                                                         continue to communicate and adhere to current policy regarding the destruction of COA\xe2\x80\x99s after 30 days.\n\n                                                         Regarding recommendation 4, management agreed to resubmit the NCOALink application for a new certification and accreditation\n                                                         review with a target implementation date of April 1, 2015.\nFindings\n\n\n\n\n                                                         Regarding recommendation 5, management agreed and plans to commence a review of alternatives available to eliminate the use\n                                                         of the                   . Management will complete the software changes to upgrade the                 by\n\n\n\n                                                         Regarding recommendation 6, management disagreed with requiring licensees to include the names of cooperative database\n                                                         business mailers and their activities in monthly performance reports. Management stated the current NCOALink Full Service\nRecommendations\n\n\n\n\n                                                         License Agreement requires licensees to comply with the separate \xe2\x80\x9cLicense Performance Requirements\xe2\x80\x9d and they will determine\n                                                         whether clarifying language regarding cooperative databases is needed and the appropriate document in which to place the\n                                                         language. Management plans to complete their determination by April 1, 2015.\n\n                                                         Regarding recommendation 7, management disagreed with implementing a process to ensure current legal, security, privacy,\n                                                         and compliance requirements are included in all NCOALink agreements. Management stated Section 22.2 of the NCOALink Full\n                                                         Service Provider License Agreement and the \xe2\x80\x9cService Provider Certification Procedures\xe2\x80\x9d requires the licensees to provide the\n                                                         Postal Service with current information. Management also stated they will develop supplemental internal administrative processes\n                                                         to remind licensees to update information they provide to the Postal Service. Management plans to develop the internal processes\n                                                         by October 1, 2015.\nAppendices\n\n\n\n\n                                                         Regarding recommendation 8, management agreed to implement a process and plan of action for establishing and conducting\n                                                         random site security reviews for NCOALink licensees by April 1, 2015.\n\n\n\n\n                    National Change of Address Program\n                    Report Number IT-AR-14-010\n                                                                                                                                                  Print                                13\n\x0cHighlights                                               Regarding recommendation 9, management agreed to evaluate potential solutions for automating the collection and management\n                                                         of acknowledgement forms by April 1, 2015.\n\n                                                         See Appendix B for management\xe2\x80\x99s comments, in their entirety.\n\n                                                         Evaluation of Management\xe2\x80\x99s Comments\n                                                         The OIG considers management\xe2\x80\x99s comments responsive to recommendations 1,2, 4, 5, 8, and 9 and corrective actions should\n                                                         resolve the issues identified in the report. The OIG considers management\xe2\x80\x99s comments to recommendations 3, 6, and 7 as\nTable of Contents\n\n\n\n\n                                                         nonresponsive.\n\n                                                         Although management disagreed with recommendations 1 and 2, their statement does not refute the issue regarding sharing\n                                                         logon IDs and passwords among the Jackson CFS operators. We agree with management that the sharing of logon IDs and\n                                                         passwords does not adhere to policy, which we cited in the report and was the basis of our finding. Also, we reviewed Handbook\n                                                         4050-01, CFPS Scanner Site Operations Training Course, and did not find any information on the proper use of logon IDs and\n                                                         passwords for establishing user accountability. However, we did reference Handbook AS-805, Section 9-4 in the report as criteria\n                                                         for proper account and password administration. In subsequent communications, Jackson CFS management stated this issue\n                                                         has been corrected and the four CFS employees are now using unique logon IDs and passwords. Although establishing a method\n                                                         for user account management would help prevent people from sharing accounts and passwords in the future, actions planned\n                                                         to remind CFS employees of user account management policy, coupled with actions already taken, should resolve the issue\n                                                         identified at the Jackson, TN CFS site.\nFindings\n\n\n\n\n                                                         Management\xe2\x80\x99s response to recommendation 3 does not correct the issue identified in this report. We agree policy exists that\n                                                         requires COA orders to be shredded after 30\xc2\xa0days. However, storing COA orders in unsecured locations for up to a year does\n                                                         not comply with Handbook AS-805, section 3-5.3 and section 7-3.4 as noted in this report. Improper storage of sensitive COA\n                                                         orders increases the risk of an unauthorized individual gaining access to customer\xe2\x80\x99s COA information. Therefore, we believe\n                                                         management should enforce the current security policies regarding the proper storage of COAs.\nRecommendations\n\n\n\n\n                                                         Management\xe2\x80\x99s responses to recommendations 6 and 7 do not correct the issues related to license provisions and monitoring\n                                                         noted in this report. Although the Licensee Performance Requirements provides technical requirements for the licensees,\n                                                         management does not enforce licensees to divulge the identity of cooperative database mailers accessing NCOALink data. Also,\n                                                         including the proper language in the NCOALink licenses to protect customer data lessens the risk of unauthorized access to\n                                                         Postal Service data in and outside the U.S.\n\n                                                         Although management disagreed with the non-monetary impact noted in our report, we believe our calculations were conservative\n                                                         and reasonable. Our calculations were based on insufficient contract provisions that require licensees and business mailers to\n                                                         secure customer data, and the absence of monitoring activities to ensure compliance with the NCOALink license agreements. As a\n                                                         result, sensitive-enhanced customer data provided to 466 third-party licensees are at risk of unauthorized access.\nAppendices\n\n\n\n\n                                                         The OIG considers recommendations 4, 5, 6, 7, and 8 significant, and therefore requires OIG concurrence before closure.\n                                                         Consequently, the OIG requests written confirmation when corrective actions are completed. These recommendations should not\n                                                         be closed in the Postal Service\xe2\x80\x99s follow-up tracking system until the OIG provides written confirmation that the recommendations\n                                                         can be closed.\n\n                    National Change of Address Program\n                    Report Number IT-AR-14-010\n                                                                                                                                                  Print                                 14\n\x0cHighlights\n                    Appendices\n\n                                                         Appendix A: Additional Information...........................................................16\n                                                          Background ...........................................................................................16\n                                                          Objectives, Scope, and Methodology.....................................................16\n                          Click on the appendix title\n                                                          Prior Audit Coverage..............................................................................17\nTable of Contents\n\n\n\n\n                           to the right to navigate to   Appendix B: Management\xe2\x80\x99s Comments....................................................18\n                               the section content.\nFindings\nRecommendations\nAppendices\n\n\n\n\n                    National Change of Address Program\n                    Report Number IT-AR-14-010\n                                                                                                                                            Print                    15\n\x0cHighlights          Appendix A:                          Background\n                    Additional Information               The NCOA application is composed of several modules and components, one of which is NCOALink. NCOALink is a premailing\n                                                         address correction method and consists of a secure dataset of about 160 million permanent COA records of residential and\n                                                         business customers who have filed COA requests.\n\n                                                         Business mailers who want bulk mail rates must use NCOALink to minimize the processing of UAA mailpieces. This reduction\n                                                         in UAA mailpieces has contributed to lower costs and processing time for business mailers and the Postal Service. Business\n                                                         mailers wanting access to NCOALink data must get it through the licensees who have agreements with the Postal Service. The\nTable of Contents\n\n\n\n\n                                                         Postal Service has 515 agreements with licensees that fall under six license categories: Full-Service, Limited Service, Interface\n                                                         Developers, Interface Distributor, End User Mailer, and Mail Processing Equipment (manufacturing-integrator and data user).\n                                                         These licensees charge business mailers a fee for updating their mailing lists with customer address records from the NCOALink\n                                                         application. The Postal Service strictly controls the matching logic of NCOALink data.\n\n                                                         Licensees are required to collect annual updates to acknowledgement forms from each of their customers and must secure these\n                                                         agreements before business mailers can perform NCOALink processing. The current acknowledgement form process relies strictly\n                                                         on maintenance of hard copy acknowledgement forms or acknowledgement form data stored by the licensees. Licensees are\n                                                         required to provide the Postal Service with monthly performance reports.\n\n                                                         Objectives, Scope, and Methodology\n                                                         Our objectives were to determine whether security controls over the NCOA manual process and NCOALink data adequately\nFindings\n\n\n\n\n                                                         protect the confidentiality and integrity of customer data and to identify potential solutions for improving the Postal Service\n                                                         acknowledgement form process. To accomplish our objectives, we interviewed managers and key officials from Address\n                                                         Management, CISO, Consumer and Industry Affairs, Engineering Systems, Information Technology, Postal Inspection Service,\n                                                         Law Department, Mail Entry and Payment Technology, Post Office Operations, Secure Digital Solutions, and Supply Management.\n\n                                                         We obtained and reviewed documentation and relevant information regarding security and privacy controls for the manual COA\n                                                         and NCOALink process. This includes processing COA orders and data through the CFS, PARS, and REC sites and relevant\n                                                         documentation related to NCOALink license agreements, Postal Service policies, and requirements. We reviewed potential\nRecommendations\n\n\n\n\n                                                         solutions (such as cloud, enterprise content management, and digital vault) for automating the acknowledgement form process.\n                                                         Lastly, we developed an understanding of the COA customer notification and fraud process and reviewed COA issues reported to\n                                                         Address Management, the Enterprise Customer Center via usps.com, and the Postal Inspection Service.\n\n                                                         To calculate other impact, we reviewed the Ponemon Institute\xe2\x80\x99s 2014 Cost of a Data Breach Study: United States to determine the\n                                                         Postal Service\xe2\x80\x99s cost per compromised record, the total risk for the NCOALink agreements, and the probable threat of a\n                                                         data breach.\n\n                                                         We conducted this performance audit from January 2 through September 2014, in accordance with generally accepted\n                                                         government auditing standards and included such tests of internal controls as we considered necessary under the circumstances.\n                                                         Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable\n                                                         basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable\nAppendices\n\n\n\n\n                                                         basis for our findings and conclusions based on our audit objectives. We discussed our observations and conclusions with\n                                                         management on August 5, 2014, and included their comments where appropriate.\n\n                                                         We did not assess the reliability of any computer-generated data for the purposes of this report.\n                    National Change of Address Program\n                    Report Number IT-AR-14-010\n                                                                                                                                                    Print                                16\n\x0cHighlights                                               Prior Audit Coverage\n                                                                                                                                                                      Monetary Impact\n                                                         Report Title                             Report Number                    Final Report Date                    (in millions)\n                                                         Delegations of Contracting\n                                                         Authority Outside of Supply               SM-AR-14-007                         8/05/2014                           None\n                                                         Management\xc2\xa0\n                                                         Report Results: Postal Service officials were not aware that Address Management personnel executed agreements with mail\n                                                         service providers without a required delegation. Specifically, Address Management officials did not have delegation granting authority\nTable of Contents\n\n\n\n\n                                                         for personnel to sign agreements with service providers who provide address quality data correction service to mailers.\n                                                         Cloud Computing Contract                  SM-MA-14-005                         4/30/2014                        $12,429,228\n                                                         Clauses\n                                                         Report Results: The 13 cloud computing contracts did not address information accessibility and data security for network access\n                                                         and server locations because the Information Security handbook in effect at the time of the contract award did not include these\n                                                         requirements. In addition, the Postal Service exempted a supplier from following the handbook for one contract that did not contain\n                                                         sensitive data. Although the data may not be sensitive, the handbook provides additional requirements such as insurance against\n                                                         losses resulting from data breaches and procedures for timely notification of these breaches. Management generally agreed with the\n                                                         findings, recommendations, and monetary impact.\n                                                         Security of File Transfer                  IT-AR-12-009                        9/12/2012                           None\n                                                         Protocol Transmissions\n                                                         Report Results: Controls surrounding FTP activities are not adequate to ensure protection of the Postal Service\xe2\x80\x99s sensitive data.\nFindings\n\n\n\n\n                                                         Specifically, business areas throughout the Postal Service are transmitting sensitive data in       Further, unnecessary FTP\n                                                         services are running on servers and mainframes on the Postal Service\xe2\x80\x99s network. We made seven recommendations management\n                                                         agreed with six, and disagreed with one.\n                                                         Patch Management Processes                 IT-AR-12-002                         1/9/2012                           None\n                                                         Report Results: The Postal Service has not provided consistent oversight and monitoring of the patch management process to\n                                                         ensure uniform application across the enterprise. Specifically, we identified inconsistencies and non-compliant issues with the patch\n                                                         management processes and unsupported\xc2\xa0operating systems and databases. We made 10 recommendations and management\nRecommendations\n\n\n\n\n                                                         agreed with all but one.\n                                                         Data Breach Incident Reporting             IT-AR-11-006                        8/11/2011                           None\n                                                         Report Results: Management has adequate policies and operations in place to appropriately report and handle incidents and notify\n                                                         affected individuals of data breach incidents. However, management is not maintaining a complete, reliable record of data breach\n                                                         incidents in the Computer Incident Response Team database. In addition, the Postal Service did not update Chief Privacy Office\n                                                         procedures to reflect current processes for handling data breach incidents and include suggested key practices outlined in federal\n                                                         guidelines. We made two recommendations and management agreed with one and partially agreed with the other.\nAppendices\n\n\n\n\n                    National Change of Address Program\n                    Report Number IT-AR-14-010\n                                                                                                                                                      Print                                  17\n\x0cHighlights          Appendix B:\n                    Management\xe2\x80\x99s Comments\nTable of Contents\nFindings\nRecommendations\nAppendices\n\n\n\n\n                    National Change of Address Program\n                    Report Number IT-AR-14-010\n                                                         Print   18\n\x0cHighlights\nTable of Contents\nFindings\nRecommendations\nAppendices\n\n\n\n\n                    National Change of Address Program\n                    Report Number IT-AR-14-010\n                                                         Print   19\n\x0cHighlights\nTable of Contents\nFindings\nRecommendations\nAppendices\n\n\n\n\n                    National Change of Address Program\n                    Report Number IT-AR-14-010\n                                                         Print   20\n\x0cHighlights\nTable of Contents\nFindings\nRecommendations\nAppendices\n\n\n\n\n                    National Change of Address Program\n                    Report Number IT-AR-14-010\n                                                         Print   21\n\x0cHighlights\nTable of Contents\nFindings\nRecommendations\nAppendices\n\n\n\n\n                    National Change of Address Program\n                    Report Number IT-AR-14-010\n                                                         Print   22\n\x0cHighlights\nTable of Contents\nFindings\nRecommendations\nAppendices\n\n\n\n\n                    National Change of Address Program\n                    Report Number IT-AR-14-010\n                                                         Print   23\n\x0cHighlights\nTable of Contents\nFindings\nRecommendations\nAppendices\n\n\n\n\n                    National Change of Address Program\n                    Report Number IT-AR-14-010\n                                                         Print   24\n\x0cHighlights\nTable of Contents\nFindings\nRecommendations\nAppendices\n\n\n\n\n                    National Change of Address Program\n                    Report Number IT-AR-14-010\n                                                         Print   25\n\x0cHighlights\nTable of Contents\nFindings\nRecommendations\nAppendices\n\n\n\n\n                    National Change of Address Program\n                    Report Number IT-AR-14-010\n                                                         Print   26\n\x0cHighlights\nTable of Contents\nFindings\nRecommendations\nAppendices\n\n\n\n\n                    National Change of Address Program\n                    Report Number IT-AR-14-010\n                                                         Print   27\n\x0cHighlights\nTable of Contents\nFindings\nRecommendations\nAppendices\n\n\n\n\n                    National Change of Address Program\n                    Report Number IT-AR-14-010\n                                                         Print   28\n\x0cHighlights\nTable of Contents\nFindings\nRecommendations\nAppendices\n\n\n\n\n                    National Change of Address Program\n                    Report Number IT-AR-14-010\n                                                         Print   29\n\x0cHighlights\nTable of Contents\nFindings\n\n\n\n\n                                                            Contact us via our Hotline and FOIA forms, follow us on social\n                                                         networks, or call our Hotline at 1-888-877-7644 to report fraud, waste\n                                                                                or abuse. Stay informed.\nRecommendations\n\n\n\n\n                                                                               1735 North Lynn Street\n                                                                              Arlington, VA 22209-2020\n                                                                                    (703) 248-2100\nAppendices\n\n\n\n\n                    National Change of Address Program\n                    Report Number IT-AR-14-010\n                                                                                                                                  Print   30\n\x0c'